(A report to Uber’s bug bounty program at HackerOne was closed as a duplicate for a report they said they cannot show me. The report to FIS Global was closed by Bugcrowd’s triagers as not applicable, with a generic response containing some explanations about OpenID Connect that appeared to be entirely unrelated to my report. After I asked for an explanation, I was asked to provide a proof of concept after the issue was already fixed. Stack Overflow has no bug bounty program, but fixed it after a report to their security contact.)
What’s even the point of bounty programs if they’re just going to shirk responsibility or not pay you anyways? Insulting behavior from these mega corps.
Good finds by the OP. Am I understanding correctly that by being able to sign your own tokens, that impersonation becomes fairly trivial if you can find the right claims for the roles being read?
What’s even the point of bounty programs if they’re just going to shirk responsibility or not pay you anyways? Insulting behavior from these mega corps.
This is actually partially why companies do bug bounties. Controlling the narrative around bugs is part of the stated benefit of a bounty. This is also why vendors often become CVE CNAs and why it’s possible for some large vendors to sweep real vulnerabilities under the rug (“not a security boundary” might as well be some of those groups catch phrase).
There also is the protection for companies via indirect incentives: if someone reports something and they deny it and suddenly the vuln pops up in, say pastebin, then they might have a responsible party and it disincentives the reporters from dumping it publicly in case they retaliate.
What’s even the point of bounty programs if they’re just going to shirk responsibility or not pay you anyways? Insulting behavior from these mega corps.
The flip side of this is the sheer unbelievable amount of spam you get if you run a bug bounty, from people who just run an automated scanner, see it pop out a “hm, the DMARC config on that domain isn’t quite what the scanner authors think it ought to be” and fire an email to alert you to the ultra-super-duper-hyper-mega-critical vulnerability they found, and how much will you be paying for it, please?
Or the people who report a bug that you can’t reproduce, reply to a request for proof-of-concept with “Certainly! Here is the proof of concept of the vulnerability:” and it doesn’t trigger any sort of bad behavior, and you realize you’ve been talking to someone’s “AI” that hallucinated a vulnerability and now they can’t be talked out of believing it.
Or… well, let me just say it’s not great from either side of the fence. I’m not surprised at all if the initial triage at some big ones is shaky from time to time.
Honestly, this happens every time I talk about bad behavior from bug bounty plattforms. And I think it’s a pretty weird excuse to say that treating legit reporters badly is understandable, because there are so many spam reports.
“We get plenty of spammy and bad reports.” Yeah. I know. I don’t care. It does not justify any of this. It does not justify treating every report that has the word “DMARC” in it as a spam report, because you’ve seen so many DMARC-related spam reports before. It does not justify assuming that if you don’t understand the report, it must be one of those spammy reports, and you can copypaste something from chatgpt to get rid of the reporter. (Which I believe is what happened here.) NONE OF THAT IS OKAY, and it absolutely does not matter how many spammy reports you got before.
The way I have always put this is: the organization created a bug bounty, it is not the reporters problem to deal with the organizational unpreparedness or staffing issues because they didn’t understand what it entails. While I empathize with how annoying triaging bug bounties is, I do not sympathize with the organizations at all, they signed up for this.
Yeah. I know. I don’t care. It does not justify any of this.
I feel this in my soul. The vulnerability researcher is doing functionally free (or very cheap in the bounty case) labor, and for some reason the people who get that work are deeply entitled to it. If I was a thinking man, I’d probably draw parallels between the OSS community and the business interests entitlement to support.
If you’re allowed to be frustrated at problems you see from your side of bounty programs, I’m allowed to be frustrated about problems I see from my side.
What’s even the point of bounty programs if they’re just going to shirk responsibility or not pay you anyways? Insulting behavior from these mega corps.
Good finds by the OP. Am I understanding correctly that by being able to sign your own tokens, that impersonation becomes fairly trivial if you can find the right claims for the roles being read?
This is actually partially why companies do bug bounties. Controlling the narrative around bugs is part of the stated benefit of a bounty. This is also why vendors often become CVE CNAs and why it’s possible for some large vendors to sweep real vulnerabilities under the rug (“not a security boundary” might as well be some of those groups catch phrase).
There also is the protection for companies via indirect incentives: if someone reports something and they deny it and suddenly the vuln pops up in, say pastebin, then they might have a responsible party and it disincentives the reporters from dumping it publicly in case they retaliate.
The flip side of this is the sheer unbelievable amount of spam you get if you run a bug bounty, from people who just run an automated scanner, see it pop out a “hm, the DMARC config on that domain isn’t quite what the scanner authors think it ought to be” and fire an email to alert you to the ultra-super-duper-hyper-mega-critical vulnerability they found, and how much will you be paying for it, please?
Or the people who report a bug that you can’t reproduce, reply to a request for proof-of-concept with “Certainly! Here is the proof of concept of the vulnerability:” and it doesn’t trigger any sort of bad behavior, and you realize you’ve been talking to someone’s “AI” that hallucinated a vulnerability and now they can’t be talked out of believing it.
Or… well, let me just say it’s not great from either side of the fence. I’m not surprised at all if the initial triage at some big ones is shaky from time to time.
Honestly, this happens every time I talk about bad behavior from bug bounty plattforms. And I think it’s a pretty weird excuse to say that treating legit reporters badly is understandable, because there are so many spam reports.
“We get plenty of spammy and bad reports.” Yeah. I know. I don’t care. It does not justify any of this. It does not justify treating every report that has the word “DMARC” in it as a spam report, because you’ve seen so many DMARC-related spam reports before. It does not justify assuming that if you don’t understand the report, it must be one of those spammy reports, and you can copypaste something from chatgpt to get rid of the reporter. (Which I believe is what happened here.) NONE OF THAT IS OKAY, and it absolutely does not matter how many spammy reports you got before.
The way I have always put this is: the organization created a bug bounty, it is not the reporters problem to deal with the organizational unpreparedness or staffing issues because they didn’t understand what it entails. While I empathize with how annoying triaging bug bounties is, I do not sympathize with the organizations at all, they signed up for this.
I feel this in my soul. The vulnerability researcher is doing functionally free (or very cheap in the bounty case) labor, and for some reason the people who get that work are deeply entitled to it. If I was a thinking man, I’d probably draw parallels between the OSS community and the business interests entitlement to support.
If you’re allowed to be frustrated at problems you see from your side of bounty programs, I’m allowed to be frustrated about problems I see from my side.